Complying with GDPR as a Lightspeed OnSite merchant

The EU General Data Protection Regulation (GDPR) is designed to harmonize data privacy laws across Europe, to protect and empower the data privacy of all EU citizens and to reshape the way organizations across the region approach data privacy.

The GDPR takes effect on May 25, 2018 and here are helpful answers to the essential FAQs:

What is GDPR?

Who is affected by GDPR?

What are Data Processing Agreements (DPAs) and why do I need to sign them?

As a Lightspeed OnSite merchant, how do I comply with GDPR requests from customers and users?

In which scenarios would I need to submit a GDPR request to Lightspeed Support?

As a Lightspeed OnSite merchant, what do I need to do in the event of a data breach?

What are some additional resources that can guide me as a GDPR-affected merchant?

What is GDPR?

The GDPR is a new law that aims to give EU citizens more control over their data by regulating how businesses process personal data. In other words, GDPR governs anything businesses can do with personal data which includes viewing, storing, changing, transferring and even deleting personal data. Under GDPR, personal data is defined as any information related to a natural person (or "data subject") that can be used to directly or indirectly identify them. This includes information such as names, addresses, email addresses and phone numbers.

For more information on the GDPR and Lightspeed's efforts to comply with it, please read our helpful links or contact us at gdpr@lightspeedhq.com:

Who is affected by the GDPR?

Lightspeed OnSite merchants established in the European Union (EU) and/or who process personal data from customers residing in the European Union. For example, you would be affected by the GDPR if either of the following 2 criteria applied to you:

Your OnSite store resides in the EU.

Your OnSite store resides in the USA and you have a customer who resides in the EU.

What are Data Processing Agreements (DPAs) and why do I need to sign them?

As Lightspeed is helping OnSite merchants in the processing of personal data, we are required by law to enter into a Data Processing Agreement (DPA) with our GDPR-affected OnSite merchants. If you're an OnSite merchant established in the European Union, you should have received the DPA by email.

Signing the DPA is fully to your benefit as it creates specific rights for you in relation to Lightspeed’s processing activities. Also, it clearly describes all the obligations that Lightspeed has towards you. Once you've signed the DPA, it is effective immediately and is legally binding. If you haven't received the DPA from us yet, it's important that you reach out to gdpr@lightspeedhq.com and sign it as soon as possible. This will ensure that you're compliant with the GDPR and avoid fines from the privacy authorities.

It's also important to note that upon your permission, Lightspeed shares the personal data that you control in your OnSite account with partners that you've selected to integrate with. This allows our partners to pull the data they need to build their integrations and Lightspeed to offer the best business solution to you as a OnSite merchant. Because of the data-sharing nature of our partner integrations, if you're a GDPR-affected OnSite merchant that has integrated their OnSite account, you'll also need to enter into a DPA with our partners.

We recommend that our OnSite merchants do their due diligence to confirm the identity of their users and customers before completing their GDPR requests. We also recommend identifying any potential reason why you might need to keep some of the personal data that your customer or user is requesting to delete (e.g. for tax, regulatory or payment processing (chargeback) reasons).

If you're an Omnichannel merchant, you'll also need to perform the above actions in eCom to complete GDPR requests.

Similarly, OnSite merchants that have integrated their accounts with one of our partners need to contact them directly to learn what personal data they have and how to complete GDPR requests on their end.

NOTE: All of our Lightspeed products support the above GDPR requests. For instructions specific to your Lightspeed product, please see their respective GDPR Help articles:

As a Lightspeed OnSite merchant, what do I need to do in the event of a data breach?

Under GDPR, a data breach is defined as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."

If the data breach relates to data Lightspeed is processing on behalf of you as a processor, we will always notify you within 36 hours after discovery. It is then your responsibility as a Lightspeed OnSite merchant to make an assessment whether or not you should be notifying the supervisory authorities, your customers and your users. We recommend following the European Commission's guidelines when making your assessment.

If you've determined that the data breach is likely to result in a high risk to the rights and freedoms of your customers and/or user, you'll need to:

Notify the supervisory authoritieswithin 72 hours after discovery.

Notify the affected customers and/or users ("data subjects") as soon as possible and include the following information:

a description of the nature of the breach.

the name and contact details of your data protection officer or other contact point;

a description of the likely consequences of the breach.

a description of the measures that you've taken or have proposed to take to address the breach, including, where appropriate, measures to mitigate its possible adverse effects

Keep a record of all the data breaches that have occurred, regardless of wether you're obliged to notify the authorities, your customer or your users.

If any of the following conditions are met however, communications to each individual customer and/or user wouldn't be required:

You've implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption.

You've taken subsequent measures which ensure that the high risk to the rights and freedoms of your customers and/or users is no longer likely to materialize.

Communicating to your customers and/or users would involve disproportionate effort. In such a case, you'll be required to send a public communication or similar measure whereby they'll be informed in an equally effective manner.

What are some additional resources that can guide me as a GDPR-affected merchant?

Outside of complying with the GDPR as a Lightspeed OnSite merchant, it's easy to get overwhelmed with the amount of GDPR information that's circulating and its requirements. To point you in the right direction and help you get started, below you'll find some additional resources that aim to guide GDPR-affected merchants.